MyBB Upcoming Events 1.32 Cross Site Scripting

🗓️ 19 Mar 2019 00:00:00Reported by 0xB9Type

packetstorm🔗 packetstormsecurity.com👁 87 Views

MyBB Upcoming Events Plugin 1.32 Cross-Site Scripting Vulnerabilit

Reporter	Title	Published	Views	Family All 9
0day.today	MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting Vulnerability	19 Mar 201900:00	–	zdt
CNVD	Upcoming Events Cross-Site Scripting Vulnerability	11 Mar 201900:00	–	cnvd
CVE	CVE-2019-9650	11 Mar 201901:00	–	cve
Cvelist	CVE-2019-9650	11 Mar 201901:00	–	cvelist
Exploit DB	MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting	19 Mar 201900:00	–	exploitdb
EUVD	EUVD-2019-19017	7 Oct 202500:30	–	euvd
exploitpack	MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting	19 Mar 201900:00	–	exploitpack
NVD	CVE-2019-9650	11 Mar 201901:29	–	nvd
Prion	Cross site scripting	11 Mar 201901:29	–	prion

`# Exploit Title: MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting  
# Date: 3/8/2019  
# Author: 0xB9  
# Twitter: @0xB9Sec  
# Contact: 0xB9[at]pm.me  
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1231  
# Version: 1.32  
# Tested on: Ubuntu 18.04  
# CVE: CVE-2019-9650  
  
  
1. Description:  
This plugin shows upcoming calendar events on the forum index and portal page. Event names are vulnerable to XSS.  
  
  
2. Proof of Concept:  
  
- Go to the calander.php page and add a new event  
- Input a payload for the event name <script>alert('XSS')</script>  
  
Payload will be executed on index.php  
  
  
  
3. Solution:  
Update to 1.33  
`

19 Mar 2019 00:00Current

6.4Medium risk

Vulners AI Score6.4

EPSS0.02552